Rowland penny
2021-May-13 19:47 UTC
[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'
On 13/05/2021 20:26, Kees van Vloten wrote:> On 13-05-2021 21:01, Rowland penny via samba wrote: >> On 13/05/2021 19:29, Kees van Vloten wrote: >>> Hi Rowland, >>> >>> These are the results of the 2 commands: >>> >>> 100016 >>> >>> 2000 >>> >>> So that matches your expectations :-) >> >> >> Just checking, there have been instances when an OP has claimed that >> they have added things when they hadn't, not that I really thought >> this was the problem in your case because 'id' showed the groups. >> >>> >>> >>> To make a long story short, I have found the culprit, it is called >>> 'winbind normalize names = yes'. The interesting bit is that in the >>> first output I sent that line was commented, I guess the bad results >>> then were due to not flushing the cache. >> >> >> Probably, always flush the cache after making changes, even if you >> restart Samba. >> >>> I found this as a working configuration: >>> >>> global] >>> >>> ??????? allow insecure wide links = yes >> >> >> Some of those are defaults and, as such, could be removed. >> >> The last line is interesting, you appear to have attempted to harden >> your Unix domain member and then you go and blow a large hole in it >> by adding that line ? >> >>> >>> I looked up 'winbind normalize names' in 'man 5 smb.conf ': >>> >>> This parameter controls whether winbindd will replace whitespace in >>> user and group names with an underscore >>> (_) character. For example, whether the name "Space Kadet" should be >>> replaced with the string >>> "space_kadet". >>> >>> And that sounds useful to me. However it looks like it has a >>> side-effect on groups that already contain an underscore. >>> Unfortunately all groups in my AD have underscores in their names. >>> >>> What do we do now? >> >> >> Remove the line. >> >>> Should I file a bug? >> >> >> No, because the smb.conf manpage goes on to say: >> >> If your domain possesses names containing the underscore character, >> this option may cause problems unless the name aliasing feature is >> supported by your nss_info plugin. >> >> So, it is a known feature ? >> >> Rowland >> >> >> > Hi Rowland, > > As it seems, I did not read the docs well enough to grasp the > important note about a known problem :-( > > The other issue you raise is indeed something I would love to remove: > 'allow insecure wide links = yes' or isolate to a single share (that > is probably the highest reachable). > I have a windows deploy-share (read-only) with mounted windows iso > files and those contain extra drivers that are put in the mounted iso > through an overlayfs and symlinks. > I looked into another way of putting the windows images together but > that does not seem to be a simple thing. > > [global] > ??? ??? .... > ??????? restrict anonymous = 2 > ??????? map acl inherit = yes > ??????? store dos attributes = yes > ??????? allow insecure wide links = yes > > [deploy] > ?????? comment = Windows OS deployment > ?????? path = /srv/deploy/windows/share > ?????? read list = @"acl-smb_share_windows_deploy-read_only" > ?????? read only = yes > ?????? locking = no > ?????? follow symlinks = yes > ?????? wide links = yes > > Since it is a read-only share in samba I would expect it to be secure, > is that assumption correct?Yes, as far as it goes, but you will probably be able to set finer access control from Windows,see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs> > Is there a way to get rid of the global setting 'allow insecure wide > links'?Not if you require 'wide links = yes' Rowland